The Agent Skills Directory

[COMMAND_EXECUTION]: The skill's style-reference logic uses a bash block that interpolates user-controlled arguments directly into a shell command: CACHE=$(python3 tools/extract_paper_style.py --source "<source>"). An attacker could exploit this to execute arbitrary commands by crafting a malicious --style-ref argument containing shell metacharacters.
[DATA_EXFILTRATION]: The skill attempts to access and potentially read ~/.claude/feishu.json. Accessing hidden configuration files in the user's home directory is a significant data exposure risk as these files frequently contain sensitive API keys or authentication tokens.
[REMOTE_CODE_EXECUTION]: In Phase 7, the skill dynamically generates a Python script (slides/generate_pptx.py) and executes it using python3. Generating and executing code at runtime is a high-risk pattern that can be used to execute malicious payloads if the generation process is influenced by untrusted input.
[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection. It ingests data from external paper sections (paper/sections/*.tex) and incorporates it into agent prompts and the mcp__codex__codex tool without using boundary markers, sanitization, or instructions to ignore embedded commands. This allows an attacker to manipulate the slide generation or talk script via hidden instructions in the research paper's LaTeX source.

paper-slides